Office 365 ADFS error "AADSTS50008: Unable to verify token signature."


Trying to access an Office 365 mailbox via browser, the system returned the ADFS error "AADSTS50008: Unable to verify token signature."

After entering the credentials in the Office 365 portal, the following error is displayed:

AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys.


Once confirmed that both ADFS and WAP services are up and running with no issues, the Certificates status in the AD FS console is reported as shown in the picture below. The Token-decrypting certificate has been updated with a recent date.


To fix this issue, I found a great post at Robin CM's IT Blog with the correct PowerShell commands to run. Open the PowerShell console and type the following command to connect to Azure Active Directory:

PS C:\ Connect-MsolService -Credential (Get-Credential)

Enter your Office 365 admin credentials and click OK.


Now type the following command to specify the server on which AD FS is running:

PS C:\ Set-MsolADFSContext -Computer w12r2-adfs01.nolabnoparty.local


Since the certificate has changed in AD FS, you need to run the following command to update the new token decryption certificate in Azure Active Directory:

PS C:\ Update-MsolFederatedDomain -DomainName


After running the PowerShell commands, the Office 365 mailbox is accessible once again.


You may wait some minutes after entering the commands before being able to access the mailbox.



  1. Sascha Seipp 19/12/2018
  2. Chris-Robin Heimdal 12/03/2020